{“lastseen”:”2026-04-13T16:43:54″,”description”:”InvoicePlane versions 1.6.3 and below suffer from a path traversal vulnerability in the getfile method of the Guest module…”,”published”:”2026-04-13T00:00:00″,”modified”:”2026-04-13T00:00:00″,”type”:”packetstorm”,”title”:”\ud83d\udcc4 InvoicePlane 1.6.3 Path Traversal”,”source”:””,”references”:””,”id”:”PACKETSTORM:218820″,”bulletinFamily”:”exploit”,”cwe”:null,”cvelist”:[“CVE-2026-23491″],”sourceData”:”# CVE-2026-23491: InvoicePlane has Unauthenticated Path Traversal in Guest Controller\\n \\n ## Overview\\n \\n | Field | Details |\\n |—|—|\\n | **CVE ID** | [CVE-2026-23491](https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2026-23491) |\\n | **Severity** | CRITICAL |\\n | **Advisory** | [View Advisory](https:\/\/github.com\/InvoicePlane\/InvoicePlane\/security\/advisories\/GHSA-88gq-mv54-v3fc) |\\n | **Discovered by** | [Lukasz Rybak](https:\/\/github.com\/lukasz-rybak) |\\n \\n ## Affected Products\\n \\n – **InvoicePlane\/InvoicePlane**\\n \\n \\n \\n ## Details\\n \\n ### Summary\\n A path traversal vulnerability exists in the `get_file` method of the `Guest` module’s `Get` controller in InvoicePlane v1.6.3. The vulnerability allows unauthenticated attackers to read arbitrary files on the server by manipulating the input filename. This leads to the disclosure of sensitive information, including configuration files with database credentials.\\n \\n ### Details\\n The vulnerability is located in the `application\/modules\/guest\/controllers\/Get.php` file, specifically within the `get_file` function.\\n \\n The function accepts a `$filename` parameter directly from the URL. It performs `urldecode($filename)` but fails to sanitize the input for directory traversal sequences (e.g., `..\/`). The sanitized filename is then concatenated with a base directory (`$this-\\u003etargetPath`, which maps to `uploads\/customer_files\/`) and passed to the `readfile()` function.\\n \\n **Vulnerable Code Snippet:**\\n “`php\\n public function get_file($filename): void\\n {\\n $filename = urldecode($filename);\\n if ( ! file_exists($this-\\u003etargetPath . $filename)) {\\n $ref = isset($_SERVER[‘HTTP_REFERER’]) ? ‘, Referer:’ . $_SERVER[‘HTTP_REFERER’] : ”;\\n $this-\\u003erespond_message(404, ‘upload_error_file_not_found’, $this-\\u003etargetPath . $filename . $ref);\\n }\\n \\n \/\/ … headers setting content type and disposition …\\n \\n readfile($this-\\u003etargetPath . $filename);\\n }\\n “`\\n \\n Because `$filename` is user-controlled and unchecked, an attacker can provide a string like `..\/..\/ipconfig.php` to break out of the intended directory.\\n \\n ### PoC\\n The following cURL command demonstrates reading the `ipconfig.php` file (which resides two directories up from the default `uploads\/customer_files\/` directory):\\n \\n “`bash\\n curl http:\/\/localhost\/index.php\/guest\/get\/get_file\/..%2f..%2fipconfig.php\\n “`\\n \\n \\u003cimg width=\\”1101\\” height=\\”930\\” alt=\\”image\\” src=\\”https:\/\/github.com\/user-attachments\/assets\/5b446157-b2e3-4428-b357-406bfcebc6f4\\” \/\\u003e\\n \\n \\n **Expected Output:**\\n The server responds with the content of `ipconfig.php`, which includes sensitive environment variables like `DB_PASSWORD` and `ENCRYPTION_KEY`.\\n \\n ### Impact\\n \\n Attackers can read the application configuration, source code, and potentially other files on the system readable by the web server user.\\n \\n ## References\\n \\n – https:\/\/github.com\/InvoicePlane\/InvoicePlane\/security\/advisories\/GHSA-88gq-mv54-v3fc\\n – https:\/\/github.com\/InvoicePlane\/InvoicePlane\/commit\/add8bb798dde621f886823065ef1841986543c69\\n \\n \\n ## Disclaimer\\n \\n This CVE was responsibly disclosed following coordinated vulnerability disclosure practices. The information provided here is for educational and defensive purposes only.”,”sourceHref”:”https:\/\/packetstorm.news\/download\/218820″,”cvss”:{“score”:9.3,”severity”:”CRITICAL”,”vector”:”CVSS:4.0\/AV:N\/AC:L\/AT:N\/PR:N\/UI:N\/VC:H\/SC:H\/VI:N\/SI:H\/VA:N\/SA:H”,”version”:”4.0″},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/packetstorm.news\/files\/id\/218820\/”,”category_name”:”Exploit”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:”2026-04-13T16:43:54″,”description”:”InvoicePlane versions 1.6.3 and below suffer from a path traversal vulnerability in the getfile method of the Guest module…”,”published”:”2026-04-13T00:00:00″,”modified”:”2026-04-13T00:00:00″,”type”:”packetstorm”,”title”:”\ud83d\udcc4 InvoicePlane 1.6.3 Path Traversal”,”source”:””,”references”:””,”id”:”PACKETSTORM:218820″,”bulletinFamily”:”exploit”,”cwe”:null,”cvelist”:[“CVE-2026-23491″],”sourceData”:”# CVE-2026-23491: InvoicePlane…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[9,6,8,55,12,13,53,7,11,5],"class_list":["post-46329","post","type-post","status-publish","format-standard","hentry","category-category_exploit","tag-critical","tag-cve","tag-cvss","tag-cvss-93","tag-exploit","tag-news","tag-packetstorm","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n